Exploring macOS/iOS DFIR: Free Learning Resources

Background:

Rising macOS fleet in corporate environment requires some level of familiarity with working of macOS. A lot of students and professionals have asked me how they can practice, explore and enhance their skills on macOS iOS DFIR and Malware Analysis. To my surprise, I could not find much details as most of CTF, labs and challenges on various platforms were centered around Windows and Linux but not macOS! So I am sharing some Free Learning Resources for it

Note: This is not a promotional post, this is purely for educational and awareness purpose.

Free Resources for hands-on practice on challenges related to iOS & macOS DFIR and Malware Analysis:

1. TryHackMe

They have 2 rooms for iOS. Check out:

1. iOS Forensics

2. iOS Analysis

TryHackMe recently released a room related to macOS Forensics!

They have mentioned that Part 2 is coming, so stay tuned for it :) Check out:

1. macOS Forensics: The Basics

2. HackTheBox

HackTheBox has a module called macOS Fundamentals to test macOS skills!

This can be used for user awareness about macOS and understand its inner working and it's in built security features.

The best part is they provide a free downloadable Cheat Sheet containing all the commands and its description: here

3. LetsDefend

LetsDefend is my favorite as it has both macOS Forensics and macOS Malware challenge!

All macOS Training and Challenge can be found by filtering as done here

Course:

1. macOS Forensics

2. iOS Forensics

Unfortunately, these are not free, but you can try their VIP/VIP+ free for 7 days by entering your credit card info :(

Challenge:

1. macOS Malware
   

This provides a hands-on experience on analyzing macOS Malware in their lab VM. Unfortunately, its a Windows VM :( but you can still give it a try.

Completing this will earn you sharable badges!

4. CyberDefenders

iOS Labs:

1. Jailbroken

2. Patrick

macOS Labs:

1. Spotlight Lab

5. CTFs

   
   

Register and participate in CTFs which are organized each year by:

1. Magnet Forensics (MVS)

2. Belkasoft (BelkaCTF)

They generally have iOS and macOS Images for Analysis. The best part is you get their commercial tool for free along with it for playing the CTF!

What if you would like to explore more of macOS/iOS DFIR?

macOS/iOS Datasets can be found at:

1. CFReDS by NIST

2. DFIR.training

3. Stark4n6 Startme Page (Check CTF/Test Images)

• My advice would be to take older CTFs, download their datasets and try it on your own.

• Don't worry if you don't have any commercial tools, use iLEAAP and commandline tools on macOS.

You can also refer CTF writeups like:

1. Stark4n6

FOSS:

1. Autopsy

2. iLEAAP

Commercial tools can provide you a trial for 15-30 days.

Below listed companies are generous in giving trials to students and others:

1. Belkasoft

2. Magnet Forensics

3. E3

Advise: Use your student/educational email address while registering/requesting the trial version of commercial softwares.

Some other macOS/iOS DFIR resources for learning:

1. Cybrary:

A free course on macOS Forensics

2. YouTube Videos:

SANS Institute:

• MAC Forensics Playlist

• SANS DFIR WEBCASTS - Analysis and Correlation of Macintosh Logs

  
  

JSAC

• Although this is in Japanese language, this is a really good resource!

• [JSAC2022] Workshop: An Introduction to macOS Forensics with Open Source Software

13Cubed

• What's In .DS Store for You? - macOS Forensics

• Getting Started with Fuji - The Logical Choice for Mac Imaging

  
  

Sam Bowne

• Investigating Mac OS X Systems Part 1

• Investigating Mac OS X System Part 2

• Investigating Mac OS X Systems

• Investigating Mac OS X Systems

• Mac Forensics

Misc

• macOS & iOS - Security